The information in this section is intended for security researchers interested in reporting security vulnerabilities to the Ethos Information Security team.
Ethos strongly believes that collaboration with the security community is key to maintaining secure environments for our customers and staff. As such, if you believe you've discovered a security vulnerability on an Ethos information asset/application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private while we are working to analyze and resolve the underlying issues before any necessary disclosures are made.
In return, we will work to review reports we receive and respond in a timely manner. Ethos will not seek law enforcement remedies against you for identifying security issues, so long as you abide by applicable law and Ethos policies regarding reports, including: taking no actions which would compromise the safety or privacy of our customers or company data and/or destroy any sensitive data you might have gathered from Ethos as part of your research once the issues you identified are resolved or at any time upon request from Ethos.
Thanks for your help!
We are primarily interested in hearing about the following vulnerability categories:
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
Our public program currently does not provide any monetary reward beyond Ethos’s eternal gratitude. At Ethos’s discretion, we may make exceptions to this policy for exceptional contributions (subject to the Legal Notices below).
Alternatively, please send us an email at security.talk@getethos.com and provide as much information as you can regarding the vulnerability. The following type of information will be particularly helpful for us:
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary program. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion.
Lastly, your testing must not violate any law.